il
a05951f883
update notes: - add http_status and http_verb for each expressions (actual budget, immich, opencloud) - fix crowdsec and issues documents
34 lines
1.2 KiB
Markdown
34 lines
1.2 KiB
Markdown
# Immich crowdsec false positive issue
|
|
|
|
## Status
|
|
- Finished
|
|
|
|
## Date
|
|
- 2026-03-21
|
|
|
|
## Version
|
|
- Immich: 2.6.1
|
|
|
|
## Problem
|
|
- When users access and log in Immich while Immich is generating thumbnail, all connections to homelab services are refused.
|
|
- fw ban users' IP address.
|
|
|
|
## Reason
|
|
- Immich sends 404 error to clients when the client request thumbnail while it is generating them.
|
|
- LAPI decides a ban when a lot of 404 errors occur in short time
|
|
|
|
## Timeline
|
|
- 2026-03-21: Release Immich
|
|
- 2026-03-21: Find the false positive case, and add whitelist
|
|
- 2026-05-07: Optimize whitelist expression
|
|
|
|
## Solution
|
|
- Access to fw
|
|
- Check the ban list with `sudo cscli alerts list`
|
|
- Read the ban case with `sudo cscli alerts inspect $NUMBER`
|
|
- Add expressions on whitelist
|
|
- evt.Meta.target_fqdn == '{{ services['immich']['domain']['public'] }}.{{ domain['public'] }}' && evt.Meta.http_status == '404' && evt.Meta.http_verb == 'GET' && evt.Meta.http_path contains '/api/assets/' && evt.Meta.http_path contains '/thumbnail'
|
|
- Delete false positive decision
|
|
- Check false positive decision with `sudo cscli decision list`
|
|
- Delete false positive decision with `sudo cscli decision delete --id $ID`
|